Botnets: How your computer might secretly be doing the work of international criminals

There might be no way to know that your computer is being called on to shut down and steal from the world

Andrew Griffin
Sunday 10 December 2017 23:29 GMT
Comments
The Andromeda galaxy. Just like the cluster of stars, the various computers in a botnet are linked together despite looking separate if you're close enough to them
The Andromeda galaxy. Just like the cluster of stars, the various computers in a botnet are linked together despite looking separate if you're close enough to them (Nasa)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Your computer or router looks innocent enough. But it could be taking part in international crime without your knowledge.

That's if it is being used in a botnet, or a collection of computers that have had malicious software installed on them that allows someone to direct them as a group from afar. Security experts say that botnets are one of the many dangers that are posed to computers and their owners – and the opportunities to use them are growing all the time.

The problem of botnets was highlighted this week when multiple law enforcement agencies announced they had shut down the Andromeda botnet. That constellation of computers, spread all around the world, were being collectively controlled and put to work doing criminal tasks for their masters.

The shutdown brings an end to one of the most prevalent, damaging botnets. But it highlights the sinister behaviour of such tools – dangerous malware that can find its way into computers and other devices and control them for use in various unethical and illegal ways.

Perhaps the most disturbing thing about botnets is there's no way to know that the computer on your desk or the router sitting innocently as you watch TV could be taking part in criminal behaviour on behalf of international mobs. Today's computers are so powerful, and internet connections so fast, that there's plenty of space to go around – even if something is taking up bandwidth, you won't necessarily see things slow down.

Nowadays such behaviour isn't limited to computers. Indeed, one of the growing aspects of botnets is devices that aren't computers – but appliances, home cameras, and other internet-connected bits of kit that might be sitting around the house. People aren't necessarily even aware that these are connected to the internet, let alone that they need to be updated and kept secure like a computer – what's more, with many cheap devices there might not actually be an obvious way to do so.

Last year, for instance, the world saw the major "Mirai" botnet attack which wiped out internet across parts of the world. And that was largely carried out by internet of things devices – internet-connected gadgets with lacking security that were tied together and used to point at a specific part of the web's infrastructure.

Still, despite that, some accounts suggest that botnets aren't actually increasing. There are some problems slowing the use of the tools, which is leading some cyber criminals to head elsewhere.

Cyber security firm Malwarebytes found 7,759 botnet detections from 2016 to November 2017, according to data provided exclusively to The Independent. That's actually a reduction from last year, with only 2,456 this year compared to 5,303 detections in 2016. It's possible that we're currently in a lull – with computers sufficiently advanced to not allow people in, and smart devices not yet widespread enough to be used meaningfully.

As the number and availability of botnets drops, there is getting to be something nostalgic about them – they require a level of technical complexity and ingenuity that isn't present in other scams online.

"Botnets really have been around as long as we've done things purposefully online," says David Emm, principal security researcher at Kaspersky Lab. "If we're banking online, shopping online, these are all activities people can subvert."

As such, there's something strangely honest about such botnets, since they've taken on a sort of artistry and craft that's impressive in a way that just inserting a dodgy ad into a web page isn't.

"There is a bit of a connoisseur aspect to it now," says Chris Boyd, malware analyst at Malwarebytes, meaning that it can be a good way of gathering a reputation online. "To be able to actually set up a botnet and do something clever with it, make money off it, is quite a skill.

"We tend to see a lot of very, very clever, grand schemes and really elegant solutions," he says, pointing to one example where people were able to take use a Twitter account to send directions to an army of computers. "But in terms of actually moneymaking it's still meat and potatoes."

If you want to actually turn your botnet into a cash-generating machine, then you have to put it to some use: having people pay to knock website offline, download malware, or use it to break into online bank accounts. That takes a lot of work and is easily stopped, making it a difficult route to go down when there are much easier money-making crimes available on the internet.

"So the really clever, sophisticated ones and leftfield ones are great experiments for scammers to dabble in," he says, but most people would opt to go for something a little more easy to get into and back out of, with a bigger payoff.

The other big problem is that it's simply too easy to be found out if you're running such a scheme. Botnets, by design, have to regularly check in with their owners – and it can be relatively easy to follow that message all the way down and find the person running it at the other end. That also makes growth dangerous – the larger the botnet, the bigger the risk, because you're leaving more and more digital footprints across more of the internet.

Some botnet operators will even take special measures to try and stop that happening. "We do see a lot of communication from the creators of these sorts of infrastructure where they're pushing heavy terms of use," says Jens Monrad, a senior analyst at FireEye. "So that could be saying you're not allowed to infect specific victims or countries because that will put pressure on the creators. Typically we see that there is a lot of things from a cyber criminal perspective that you have to accept to use the infrastructure."

That doesn't mean that taking down the people running the botnets means taking down the infrastructure. Arrests can work as a deterrent, but not necessarily a way of stopping the botnet from running. Users still remain infected, and the infrastructure can still remain in place.

Often, for instance, law enforcement can trap and then shut down botnets through a process known as sinkholing. That involves grabbing the domains that are registered with the infections, and then allowing the data to drop into it, as well as tracing where it's coming from.

But often after the operations are over, those domains are then able to lapse. Someone else can then pick them back up and get to work using the botnet, despite the fact that person who once ran it might now be in prison.

"I don't want to downplay the actual success in taking down this infrastructure, but it's worth highlighting that we do see old malware families – they suddenly re-emerge because either the operator was successful in getting access to the infrastructure, or the takdown didn't cover everything."

As such, your computer might be free from being part of the botnet – and then get wakened back up and added back again. It's possible that an update to a computer might kill off an old, hibernating piece of malware, but it's also possible that it won't.

It's unlikely that anyone would be held responsible for the behaviour of their remotely controlled computer, though it's very possible that you might be told to ensure that people can't get in in the future. It's so hard to know it was happening that it's also difficult to know how you could be blamed for not spotting it.

However, that doesn't quite stop the sinister undertones of knowing that you might have been involved in such behaviour. Kaspersky's David Emm likens it to knowing that a gap behind your shed is being used for burglars to store their tools – even if you might not be using that shed, or see the burglars. "It's not necessarily impacting me, but I'm not very comfortable with being used in that way," he says.

That doesn't mean that there aren't things you should do – or that you will be let off just because you didn't know you were involved. Even if you're not being put in the frame for a crime, it doesn't mean you've not got a duty not to stop it.

The ways to do that are various – from the obvious to the slightly more complicated. First off is all the general internet security advice – update your systems and devices whenever you need to, and avoid obvious things like revealing your passwords or clicking on dodgy links.

"The less obvious stuff is, say, as soon as you install a device in a home – whether that be CCTV or a baby monitor or children's toys – think does it need to be connected?" says Emm. "And if I don't, switch that off.

"Does it come with a password? Great, let me change that. And the other thing is to check with the manufacturer if it can be updated – it's the same sort of advice as with any computer, but it's just less obvious to ask that question."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in